How to password protect Grub menu from the ro recovery nomodeset command.
I want it to where no one unless you have the password to make changes to the menu to try to get into recovery.grub
Asked
Active
Viewed 2.0k times
14
ElefantPhace
- 3,190
- 3
- 18
- 29
Randol Albert
- 367
-
It's not quite clear. Do you want to password protect the ability to boot or the ability to edit the grub configuration/get to a grub console? – Seth Aug 03 '15 at 21:45
-
Preferably both and could you please show me the commands in detail, I'm kind of new to linux – Randol Albert Aug 03 '15 at 21:48
-
There is an option to disable recovery mode in grub, as well as making grub not show up (ie boot straight to a particular OS you choose, or if you have just one OS, boot to that without delay). Would you be interested in that ? Let me know, I'll post this as an answer if you want – Sergiy Kolodyazhnyy Aug 04 '15 at 02:18
2 Answers
15
Grub allows you to password protect its config and console, as well as individual operating system entries. Please note that this will not stop dedicated individuals, especially the ones that know what they are doing. But I assume you know that. Lets get started.
generate a password hash..
You could store your grub password in plain text but that is entirely insecure and anyone that had access to your account could quickly figure it out. To prevent this we hash the password using the grub-mkpasswd-pbkdf2 command, like so:
user@host~ % grub-mkpasswd-pbkdf2
Enter password:
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.63553D205CF6E...
While you type your password no characters will show in the terminal, this is to prevent people looking over your shoulders, etc. Now, copy the entirety of your hash with Ctrl+Shift+C.
protecting the config, console..
Run:
sudo nano /etc/grub.d/40_custom
This will create a new configuration file called 40_custom in grub's configuration directory. Now add the lines:
set superusers="username"
password_pbkdf2 username hash
Where username is a username of your choice and hash is the hash we generated in the last command. Press Ctrl+O and then Ctrl+X to save and quit. Run:
sudo update-grub
To finalize the changes. Now, when anyone attempts to edit the grub configuration or access a grub console it will prompt them for a username and password.
password protecting operating system entries..
Currently the only method to achieve this I can find is to edit the /boot/grub/grub.cfg manually. This is only temporary however as any new kernel update will rewrite this file and your passwords will be gone (note that this doesn't effect the console/editing password we set above). All other methods I have found so far are extremely out of date and I can no longer get them to work.
I've asked the grub mailing list if there is a newer method and will edit this answer as soon as I find out.
-
4Grub 2.0+ asks for password to boot after this manipulations. It's because all entries are now "restricted" by default. To boot without a password you need to add "--unrestricted" to required boot items. – Raz Nov 09 '18 at 10:33
6
The GRUB manual has a section about security. This tells you how to password protect your GRUB boot menu to restrict access to specific operations or boot variants. It contains a small example.
NZD
- 3,231
-
2
-
2@rpax: Seth's answer already contains an example. He added his answer after I posted mine. – NZD Aug 11 '15 at 23:01